At least two new versions of a malicious computer worm that appeared late Friday were circulating on the Internet Monday,
according to computer security experts and antivirus software companies.
New variations of the Sasser Internet worm, named Sasser.B and Sasser.C were identified by antivirus companies, just days
after the first version of the new worm appeared. Despite the new versions, antivirus experts said that Sasser outbreak has
likely peaked, and expected the rate of new infections to slow on Monday.
Sasser exploits a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security
Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.
Sasser is similar to an earlier worm, Blaster, because users do not need to receive an e-mail message or open a file to be
infected. Instead, just having a vulnerable Windows machine connected to the Internet with communications port number 445
is enough to catch Sasser.
After appearing Friday, the worm spread quickly around the world, and may have infected a few hundred thousand machines, said
Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center, which monitors malicious activity
on the Internet.
Given the large number of vulnerable computers that have been infected by Sasser, a Windows machine connected to the Internet
could be infected in as little as two minutes, said Graham Cluley, senior technology consultant at antivirus company Sophos
PLC.
Early versions of the worm spread slowly, however, especially compared to the rapid proliferation of Blaster, which appeared
in August 2003 and peaked just hours after its release, Cluley and Ullrich said.
By comparison, Sasser.A contained features that prevented it from rapidly scanning the Internet for other vulnerable hosts
and at first appeared to be a low level threat. However, new versions of the worm that appeared over the weekend, especially
Sasser.C, improved on failures in Sasser.A, allowing infected machines to scan for many more infected hosts, Ullrich said.
Sasser's spread was also slowed because it relied on port 445, which has long been a target of malicious threats, such as
Agobot, a prolific Trojan program. As a result, many companies blocked access to port 445 long before Sasser appeared, Joe
Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, South Carolina.
Many of the infected machines are probably home computers connected to the Internet with broadband connections and already
infected with other viruses, including a malicious program called "Phatbot" that has been modified to take advantage of the
LSASS vulnerability, also, Ullrich said.
However, more Sasser versions appear to be on the way that could use different communications ports to spread, Ullrich said.
On Monday, Sophos identified yet another variant, Sasser.D, Cluley said.
The Internet Storm Center set its Internet alert or "Infocon" level to "yellow" over the weekend, indicating a "significant
new threat." The alert level was expected to stay at "yellow" Monday, when more infections were likely as workers returned
to their office, possibly with laptop computers infected through home Internet connections, Ullrich said.
However, he expects the alert level to return to green by the end of the day, as users repair infected systems, he said.
Like other viruses, including Blaster, Sasser will linger on the Internet for a long time, Cluley said.
"We're still finding people who are infected with Blaster. Many people won't even know they're infected with Sasser for months,
and those infected machines will continue to try to infect other (machines) in the weeks and months ahead," he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
